(s->version > SSL3_VERSION) &&
(s->s3->handshake_fragment_len >= 4) &&
(s->s3->handshake_fragment[0] == SSL3_MT_CLIENT_HELLO) &&
- (s->session != NULL) && (s->session->cipher != NULL) &&
- !(s->ctx->options & SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION)) {
+ (s->session != NULL) && (s->session->cipher != NULL)) {
/*s->s3->handshake_fragment_len = 0;*/
rr->length = 0;
ssl3_send_alert(s, SSL3_AL_WARNING, SSL_AD_NO_RENEGOTIATION);
BIO_printf(bio_err, " -starttls prot - use the STARTTLS command before starting TLS\n");
BIO_printf(bio_err, " for those protocols that support it, where\n");
BIO_printf(bio_err, " 'prot' defines which one to assume. Currently,\n");
- BIO_printf(bio_err, " only \"smtp\", \"pop3\", \"imap\", \"ftp\" and \"xmpp\"\n");
+ BIO_printf(bio_err, " only \"smtp\", \"lmtp\", \"pop3\", \"imap\", \"ftp\" and \"xmpp\"\n");
BIO_printf(bio_err, " are supported.\n");
#ifndef OPENSSL_NO_ENGINE
BIO_printf(bio_err, " -engine id - Initialise and use the specified engine\n");
BIO_printf(bio_err, " -nextprotoneg arg - enable NPN extension, considering named protocols supported (comma-separated list)\n");
#endif
#endif
- BIO_printf(bio_err, " -legacy_renegotiation - enable use of legacy renegotiation (dangerous)\n");
#ifndef OPENSSL_NO_SRTP
BIO_printf(bio_err, " -use_srtp profiles - Offer SRTP key management with a colon-separated profile list\n");
#endif
enum {
PROTO_OFF = 0,
PROTO_SMTP,
+ PROTO_LMTP,
PROTO_POP3,
PROTO_IMAP,
PROTO_FTP,
else if (strcmp(*argv, "-serverpref") == 0)
off |= SSL_OP_CIPHER_SERVER_PREFERENCE;
else if (strcmp(*argv, "-legacy_renegotiation") == 0)
- off |= SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION;
+ ; /* no-op */
else if (strcmp(*argv, "-legacy_server_connect") == 0) {
off |= SSL_OP_LEGACY_SERVER_CONNECT;
} else if (strcmp(*argv, "-no_legacy_server_connect") == 0) {
++argv;
if (strcmp(*argv, "smtp") == 0)
starttls_proto = PROTO_SMTP;
+ else if (strcmp(*argv, "lmtp") == 0)
+ starttls_proto = PROTO_LMTP;
else if (strcmp(*argv, "pop3") == 0)
starttls_proto = PROTO_POP3;
else if (strcmp(*argv, "imap") == 0)
* push a buffering BIO into the chain that is removed again later on
* to not disturb the rest of the s_client operation.
*/
- if (starttls_proto == PROTO_SMTP) {
+ if (starttls_proto == PROTO_SMTP || starttls_proto == PROTO_LMTP) {
int foundit = 0;
BIO *fbio = BIO_new(BIO_f_buffer());
BIO_push(fbio, sbio);
}
while (mbuf_len > 3 && mbuf[3] == '-');
/* STARTTLS command requires EHLO... */
- BIO_printf(fbio, "EHLO openssl.client.net\r\n");
+ BIO_printf(fbio, "%cHLO openssl.client.net\r\n",
+ starttls_proto == PROTO_SMTP ? 'E' : 'L');
(void) BIO_flush(fbio);
/* wait for multi-line response to end EHLO SMTP response */
do {
BIO_printf(bio_err, " not specified (default is %s)\n", TEST_CERT2);
BIO_printf(bio_err, " -tlsextdebug - hex dump of all TLS extensions received\n");
BIO_printf(bio_err, " -no_ticket - disable use of RFC4507bis session tickets\n");
- BIO_printf(bio_err, " -legacy_renegotiation - enable use of legacy renegotiation (dangerous)\n");
#ifndef OPENSSL_NO_NEXTPROTONEG
BIO_printf(bio_err, " -nextprotoneg arg - set the advertised protocols for the NPN extension (comma-separated list)\n");
#endif
else if (strcmp(*argv, "-serverpref") == 0) {
off |= SSL_OP_CIPHER_SERVER_PREFERENCE;
} else if (strcmp(*argv, "-legacy_renegotiation") == 0)
- off |= SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION;
+ ; /* no-op */
else if (strcmp(*argv, "-cipher") == 0) {
if (--argc < 1)
goto bad;
=item SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION
-Allow legacy insecure renegotiation between OpenSSL and unpatched clients or
-servers. See the B<SECURE RENEGOTIATION> section for more details.
+As of OpenBSD 5.6, this option has no effect.
+In previous versions it allowed legacy insecure renegotiation between
+OpenSSL and unpatched clients or servers.
+See the B<SECURE RENEGOTIATION> section for more details.
=item SSL_OP_LEGACY_SERVER_CONNECT
B<handshake_failure> alert is sent. This is because the server code may be
unaware of the unpatched nature of the client.
-If the option B<SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION> is set then
-renegotiation B<always> succeeds.
-
B<NB:> a bug in OpenSSL clients earlier than 0.9.8m (all of which are
unpatched) will result in the connection hanging if it receives a
B<no_renegotiation> alert. OpenSSL versions 0.9.8m and later will regard
=head2 Patched OpenSSL client and unpatched server.
-If the option B<SSL_OP_LEGACY_SERVER_CONNECT> or
-B<SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION> is set then initial connections
+If the option B<SSL_OP_LEGACY_SERVER_CONNECT> is set then initial connections
and renegotiation between patched OpenSSL clients and unpatched servers
succeeds. If neither option is set then initial connections to unpatched
servers will fail.
B<SSL_OP_LEGACY_SERVER_CONNECT> using SSL_CTX_clear_options() or
SSL_clear_options().
-The difference between the B<SSL_OP_LEGACY_SERVER_CONNECT> and
-B<SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION> options is that
-B<SSL_OP_LEGACY_SERVER_CONNECT> enables initial connections and secure
-renegotiation between OpenSSL clients and unpatched servers B<only>, while
-B<SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION> allows initial connections
-and renegotiation between OpenSSL and unpatched clients or servers.
-
=head1 RETURN VALUES
SSL_CTX_set_options() and SSL_set_options() return the new options bitmask
and the function SSL_get_secure_renegotiation_support() were first added in
OpenSSL 0.9.8m.
+B<SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION> was changed to have no effect
+in OpenBSD 5.6.
+
=cut
(s->version > SSL3_VERSION) &&
(s->s3->handshake_fragment_len >= 4) &&
(s->s3->handshake_fragment[0] == SSL3_MT_CLIENT_HELLO) &&
- (s->session != NULL) && (s->session->cipher != NULL) &&
- !(s->ctx->options & SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION)) {
+ (s->session != NULL) && (s->session->cipher != NULL)) {
/*s->s3->handshake_fragment_len = 0;*/
rr->length = 0;
ssl3_send_alert(s, SSL3_AL_WARNING, SSL_AD_NO_RENEGOTIATION);
projects / openbsd / commitdiff